Skip to main content
Permissions control what users can do in the platform. Unlike organizational roles, permissions directly grant access to features and data.
Looking for how to create positions like “President” or “Secretary”? See Roles for organizational structure.

Permission Domains Overview

Orgo has 6 permission domains, each controlling a specific area of the platform:
DomainPurposeKey Capabilities
ADMINFull platform controlAll settings, billing, integrations, user management
HRMember managementProfiles, adhesions, resignations, imports, badges
HR_ASSISTANTSupport tasksIdentity validation, GDPR requests, gamification
FINANCIALMoney mattersProducts, fees, payments, financial reports
EVENTEvent managementCreate events, manage attendance, reports
COMMUNICATIONMessagingNewsletters, discussion moderation
ADMIN is the highest permission - users with ADMIN have access to everything, including all other domains.

Domain Comparison

What Can Each Permission Do?

This table shows which features each permission domain controls:
FeatureADMINHRHR_ASSISTANTFINANCIALEVENTCOMMUNICATION
Organization Settings
Billing & Subscription
Module Configuration
API & Integrations
Local Center Settings
User Permission Management
View/Edit Member Profiles
Process Adhesions
Handle Resignations
Member Imports
Manage Badges
Official Gazette
Export Members
Identity Validation
GDPR Data Requests
Gamification / Hours
Manage Products
Configure Fees
Process Payments
Financial Reports
Stripe Configuration
Create/Edit Events
Manage Attendees
Event Check-in (QR)
Event Reports
Courses
Create Newsletters
Moderate Discussions
Manage Discussion Categories

Detailed Domain Descriptions

Who needs it: Executive team, IT administrators, platform managersWhat it controls:
  • All organization settings and configuration
  • Billing, subscription, and payment gateway setup
  • Feature flags and module activation
  • API access and integrations
  • User permission assignment
  • Local center creation and settings
Important: ADMIN permission grants access to everything. Users with ADMIN can do anything that HR, FINANCIAL, EVENT, or COMMUNICATION can do.
Be careful assigning ADMIN. These users have access to all organization data, financial information, and can modify any settings.
Who needs it: HR staff, membership officers, secretariesWhat it controls:
  • View and edit member profiles
  • Process membership adhesions (applications)
  • Handle member resignations
  • Import members in bulk
  • Manage badges and gamification
  • Access Official Gazette
  • Export member data
  • View birth dates and personal information
Includes: HR permission automatically includes HR_ASSISTANT capabilities.
Who needs it: Volunteers helping with membership, identity validatorsWhat it controls:
  • Identity document validation
  • GDPR data requests processing
  • Gamification and training hours tracking
  • View (not edit) member information
Note: This is a lighter permission for users who need to help with specific HR tasks without full member management access.
Who needs it: Treasurers, finance officers, accountantsWhat it controls:
  • Create and manage products
  • Configure membership fees
  • Process payments and refunds
  • View financial reports and statistics
  • Manage Stripe integration
  • Export financial data
Includes: FINANCIAL permission automatically includes HR_ASSISTANT capabilities (for viewing member info related to payments).
Who needs it: Event coordinators, activity managersWhat it controls:
  • Create and edit events
  • Manage event attendees
  • Check-in participants (QR scanning)
  • Generate event reports
  • Manage courses and training sessions
  • Configure event ticketing
Does NOT include: Financial event settings (ticket pricing) require FINANCIAL permission.
Who needs it: Communications officers, community managersWhat it controls:
  • Create and send newsletters
  • Moderate discussion forums
  • Manage discussion categories
  • Pin/delete discussion posts
  • Send announcements

Permission Hierarchy

Permissions have a hierarchy where higher permissions include lower ones: 
ADMIN ─────────────────────────────────────────────────
   │                                         (highest)
   ├── HR ──────────────┬── HR_ASSISTANT
   │                    │
   ├── FINANCIAL ───────┘

   ├── EVENT

   └── COMMUNICATION

Automatic Inclusions

If user has…They automatically get…
ADMINAll permissions (HR, FINANCIAL, EVENT, COMMUNICATION, HR_ASSISTANT)
HRHR_ASSISTANT
FINANCIALHR_ASSISTANT
Example: A user with HR permission can also validate identities and manage gamification (HR_ASSISTANT features) without needing a separate assignment.

Scope Levels (TENANT / PARENT_LOCAL / LOCAL)

Each permission domain can be assigned at different scope levels that control what data the user can access:
ScopeSuffixWhat data can they access?
Organization_TENANTAll data across the entire organization
Regional_PARENT_LOCALParent local center + all its child centers
Local_LOCALOnly their assigned local center

How it works

The same permission at different scopes gives access to the same features, but limited to different data:
PermissionFeaturesData Access
HR_TENANTMember managementAll members in organization
HR_PARENT_LOCALMember managementMembers in parent center + children
HR_LOCALMember managementMembers in own local center only
Key principle: _TENANT permission automatically covers all _PARENT_LOCAL and _LOCAL data within that domain.

Visual Example

National Organization (TENANT)
├── Region North (PARENT_LOCAL)
│   ├── Branch A (LOCAL)
│   ├── Branch B (LOCAL)
│   └── Branch C (LOCAL)
└── Region South (PARENT_LOCAL)
    ├── Branch D (LOCAL)
    └── Branch E (LOCAL)

HR_TENANT      → Can manage members in ALL branches
HR_PARENT_LOCAL (Region North) → Can manage members in A, B, C only
HR_LOCAL (Branch A) → Can manage members in Branch A only

By Organizational Position

PositionRecommended PermissionWhy
President / CEOADMIN_TENANTFull organizational control
Vice PresidentADMIN_TENANT or HR_TENANTDepends on responsibilities
Secretary GeneralHR_TENANTOrganization-wide member management
TreasurerFINANCIAL_TENANTOrganization-wide financial access
Communications DirectorCOMMUNICATION_TENANTNewsletters, announcements
Regional DirectorADMIN_PARENT_LOCALFull control of their region
Regional HR ManagerHR_PARENT_LOCALMember management for region
Branch PresidentADMIN_LOCALFull control of their branch
Branch SecretaryHR_LOCALLocal member management
Branch TreasurerFINANCIAL_LOCALLocal financial operations
Event CoordinatorEVENT_LOCAL or EVENT_TENANTBased on event scope
Membership AssistantHR_ASSISTANT_LOCALIdentity validation, gamification
Regular Member(none)Basic member access

Quick Decision Guide

Need full control?

Use ADMINFor executives and IT administrators who need access to everything.

Managing members?

Use HRFor HR staff, secretaries, and membership officers.

Handling money?

Use FINANCIALFor treasurers and finance officers.

Running events?

Use EVENTFor event coordinators and activity managers.

Sending communications?

Use COMMUNICATIONFor communications officers and community managers.

Helping with validation?

Use HR_ASSISTANTFor volunteers helping with identity checks and gamification.

Complete Permission Reference

All Available Permissions

PermissionDomainScopeLevel
ADMIN_TENANTAdminOrganization100
ADMIN_PARENT_LOCALAdminRegional95
ADMIN_LOCALAdminLocal90
HR_TENANTHROrganization83
HR_PARENT_LOCALHRRegional75
HR_LOCALHRLocal70
FINANCIAL_TENANTFinancialOrganization82
FINANCIAL_PARENT_LOCALFinancialRegional55
FINANCIAL_LOCALFinancialLocal50
HR_ASSISTANT_TENANTHR AssistantOrganization81
HR_ASSISTANT_PARENT_LOCALHR AssistantRegional35
HR_ASSISTANT_LOCALHR AssistantLocal30
EVENT_TENANTEventOrganization80
EVENT_PARENT_LOCALEventRegional50
EVENT_LOCALEventLocal10
COMMUNICATION_TENANTCommunicationOrganization80
COMMUNICATION_PARENT_LOCALCommunicationRegional50
COMMUNICATION_LOCALCommunicationLocal10
Level indicates permission strength. Higher level permissions can assign lower level permissions to other users.

Assigning Permissions

Attach permissions to roles, then assign roles to users:
1

Create or edit a Role

Go to SettingsRoles
2

Attach permissions

Select which permissions this role grants
3

Assign role to users

Users with this role automatically get the attached permissions

Direct Assignment

For exceptions, assign permissions directly to a user’s profile.
Direct assignment is harder to audit. Use roles whenever possible.

Testing Permissions (Impersonation)

Administrators can test the platform with different permissions:
1

Click impersonation icon

Shield icon in the header
2

Select permissions to test

Choose which permission level to simulate
3

Browse as that user

See exactly what users with those permissions see
4

Exit impersonation

Click the badge to return to normal

Troubleshooting

Check if they have the correct domain permission. Use the Domain Comparison table to find which permission controls that feature.
They probably have _TENANT scope instead of _LOCAL. Change to the appropriate scope level.
Check if it’s automatically included by another permission. For example, HR already includes HR_ASSISTANT.
Local center features might be disabled. Enable in SettingsModulesLocal Centers.